# Environment Configuration Example
# Copy this file to .env and customize as needed

# Server Configuration
PORT=1999
HOST=localhost
GO_ENV=development

# Template Configuration
TEMPLATE_DIR=templates
PARTIALS_DIR=templates/partials
TEMPLATE_HOT_RELOAD=true

# Data Configuration
DATA_DIR=data

# Server Timeouts (seconds)
READ_TIMEOUT=15
WRITE_TIMEOUT=15

# Security Configuration
# Allowed origins for API access (comma-separated domains)
# Prevents external sites from accessing your API/PDF endpoint
#
# DEFAULT: If empty, defaults to juan.andres.morenorub.io (the CV site domain)
# Plus localhost and 127.0.0.1 are always allowed in development
#
# For custom domains in production: ALLOWED_ORIGINS=yourdomain.com,www.yourdomain.com
# Multiple domains: ALLOWED_ORIGINS=domain1.com,domain2.com,www.domain1.com
ALLOWED_ORIGINS=

# Rate Limiter Configuration
# CRITICAL: Prevents IP spoofing attacks that bypass rate limiting
#
# BEHIND_PROXY: Set to true ONLY if behind a trusted reverse proxy (nginx, caddy, cloudflare)
# - Development (default): false - Uses RemoteAddr only, immune to header spoofing
# - Production behind proxy: true - Trusts X-Forwarded-For from proxy
#
# TRUSTED_PROXY_IP: Optional - IP address of your reverse proxy
# - If set, only X-Forwarded-For headers from this IP are trusted
# - Example: 127.0.0.1 (for local nginx), 10.0.0.1 (for load balancer)
# - Leave empty to trust X-Forwarded-For from any source (less secure)
#
# Security Impact:
# - BEHIND_PROXY=false (dev): Ignores all X-Forwarded-For headers, uses actual connection IP
# - BEHIND_PROXY=true (prod): Trusts proxy, extracts client IP from X-Forwarded-For
# - Logs all suspicious spoofing attempts for security monitoring
#
BEHIND_PROXY=false
TRUSTED_PROXY_IP=

# Production Settings
# Uncomment for production:
# GO_ENV=production
# TEMPLATE_HOT_RELOAD=false
# READ_TIMEOUT=30
# WRITE_TIMEOUT=30
# ALLOWED_ORIGINS=yourdomain.com,www.yourdomain.com
#
# Production behind reverse proxy:
# BEHIND_PROXY=true
# TRUSTED_PROXY_IP=127.0.0.1